DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Years later, Marriott admits data were not encrypted before its 2018 data breach. Now what?

Posted on May 4, 2024 by Dissent

What might happen to a company that has been making false claims about its system security for more than five years after experiencing a massive data breach? Will state attorneys general, the SEC, and the FTC investigate and possibly penalize them for a significant misrepresentation to consumers and regulators?

CSO Online has a significant update concerning litigation against Marriott over the 2018 breach that affected hundreds of millions of customers:

For more than five years, Marriott has defended a massive 2018 data breach by arguing that its encryption level (AES-128) was so strong that the case against it should be dismissed. But attorneys for the hotel chain admitted in an April 10 hearing that it had never used AES-128 during the time of the breach.

In fact, it hadn’t been using any encryption at all at the time but rather had been using secure hash algorithm 1 (SHA-1), which is a hashing mechanism and not encryption.

During the hearing of the US District Court for the District of Maryland Southern Division, Judge John Preston Bailey ordered Marriott “to correct any information on its website within seven days.”

The Correction

Read more of Evan Schuman’s report on CSO Online. Schuman notes that in response to the judge’s order, Marriott didn’t even issue a new post on its site or any notice to call attention to the correction. They merely silently edited their original website notice to add two sentences:

Following an investigation with several leading data security experts, Marriott initially determined that the payment card numbers and certain passport numbers in the database tables involved in the Starwood database security incident that Marriott reported on November 30, 2018, were protected using Advanced Encryption Standard 128 encryption (AES-128). Marriott has now determined that the payment card numbers and some of the passport numbers in those tables were instead protected with a different cryptographic method known as Secure Hash Algorithm 1 (SHA-1).

[Note: Marriott’s original statement on their web page had been reported on DataBreaches.]

Now What?

Schuman notes out that the admission of no encryption years later raises a whole host of questions that have yet to be answered.

Did Marriott get reimbursed by their insurance carrier because they claimed the data had been encrypted?

Will the Securities and Exchange Commission have something to say about misleading investors by claiming encryption when it wasn’t used?

How is it that this wasn’t discovered and corrected in 2019 or 2020 at the latest? Why is this first coming out now?

Were there other lawsuits that were dismissed because of Marriott’s claim that data were encrypted? Were there other potential plaintiffs who did not sue because they relied upon Marriott’s claim of encryption?

Was this an innocent mistake on Marriott’s part or not?


Correction: The Marriott page does note an update on it — I missed it because I was looking at the bottom of the page and it was on top. Thanks to Evan Schuman for catching my error. A sentence commenting that there was no note of update has since been removed, although it is still a silent update on a years’ old notice — Dissent.

Related posts:

  • EXCLUSIVE: Marriott hacked again? Yes. Here’s what we know.
  • Marriott says data breach compromised info of up to 500 million guests
  • Hungarian Citizen Pleads Guilty to Hacking into Marriott Computers and Attempting to Extort Employment from the Company
  • Marriott notifies associates of breach at unnamed vendor
Category: Business SectorHack

Post navigation

← CISA’s KEV catalog making a positive difference to defenders
Forensic reports are NOT privileged — Ontario Divisional Court →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.